Debugger Detection

Detecting that a debugger is attached to a production app is a key RASP feature. Attaching a debugger to an app should only be possible in the development phase and should never occur with a production app. A debugger attached to a production app is a clear sign of malicious tampering.

Malwarelytics for Apple is able to either block a debugger from attaching to the process or detect that a debugger has been attached to the app process and can be configured to terminate the app in that case.

Configuration

let raspConfig = AppProtectionRaspConfig(
    debugger: DebuggerDetectionConfig
    // configuration of other RASP features
)

Available values of DebuggerDetectionConfig:

Value Description
.noAction indicates that debuggers will not be automatically detected. A manual check is still possible.
.notify indicates that debuggers will be automatically detected and the delegates will be notified via the debuggerDetected() method.
.block indicates that debuggers will be blocked from attaching to the application process.
.exit(
exitUrl: String?)
indicates that debuggers will be automatically detected and the app will be terminated when a debugger is automatically detected.

Debugger detection defaults to .notify.

List of available parameters for some config values:

Parameter Description
exitUrl: String? defines the URL to be opened when the app is terminated because of the automatic detection. Defaults to nil.

Usage

After service creation, the debugger detection feature can be accessed via AppProtectionRasp. This can be used to add a delegate or to trigger a manual debugger detection check.

Observing Detection

Debugger detection can trigger a certain action. To achieve that, a delegate needs to be added.

Delegate configuration:

class RaspDelegate: AppProtectionRaspDelegate {

    // other delegate code

    func debuggerDetected() {
        // handle debugger detection
    }
}

The delegate can be added in AppProtectionRasp. When it is no longer needed, it can be removed again.

let raspDelegate = RaspDelegate()
appProtection.rasp.addDelegate(raspDelegate)
appProtection.rasp.removeDelegate(raspDelegate)

Triggering a Manual Check

Debugger detection check can be triggered manually in AppProtectionRasp by getting the isDebuggerConnected property value. A simple Bool answer is given.

let isDebuggerConnected = appProtection.rasp.isDebuggerConnected

More information on general RASP feature configuration and usage can be found in this overview.

Last updated on Apr 11, 2024 (08:13) View product
Search

3.0.x

Malwarelytics for Apple